Home Forums SharewareOnSale Deals Discussion AV Music Morpher / May 28 2019 Reply To: AV Music Morpher / May 28 2019

May 28, 2019 at 5:12 am #13828131 Quote
Peter Blaise
Guest

2 hits at VirusTotal … vendor does not know or does not care.

SHA256: 0ea2be59b2daea1b112ec478340e45da3da0b338256c0d3d6729fb3aeffa964e
File name: music_morpher.exe
Detection ratio: 2 / 68
Analysis date: 2019-05-20 09:56:55 UTC ( 1 week, 1 day ago )
Antivirus Result Update
Cyren W32/Trojan.BJL.gen!Eldorado 20190520
F-Prot W32/Trojan.BJL.gen!Eldorado 20190520

Equivalent to Microsoft’s name for it: Trojan:Win32/Estiwir.A

This trojan downloads other malware onto your computer and can stop some programs or applications from working correctly.

It is downloaded onto your computer by other malware, including PWS:Win32/OnLineGames.AH and PWS:Win32/Lolyda.BF.

This threat may download other malware that can steal your information by recording usernames and passwords. After you remove this threat it is a good idea to change your passwords.

It is installed in the <system folder> as Midimap.dll, replacing the legitimate Midimap.dll file.

When run, Trojan:Win32/Estiwir.A is injected to Explorer.exe. It then downloads and runs other malware, including PWS:Win32/OnLineGames.AH.

The downloaded malware files are saved and run in the %TEMP% folder with the filename <10 numbers>.exe, for example: 7223939032.exe.

In the wild, additional malware downloaded from the following URLS:

blue.iaevkw.com/<removed>/sheet3.rar
blue.ixcylp.com/<removed>/sheet3.rar
now.eyrzaz.com/<removed>/witer3.rar
now.toilez.com/<removed>/witer3.rar
pler.znfzvd.com/<removed>/witer3.rar
pler.zrjqgg.com/<removed>/witer3.rar
zip.hvtmcb.com/<removed>/witer3.rar
zip.kairwu.com/<removed>/witer3.rar
zip.ndksgu.com/<removed>/witer3.rar
zip.nnmyuk.com/<removed>/witer3.rar
zip.ogagud.com/<removed>/witer3.rar
zip.ojpbvw.com/<removed>/witer3.rar
zip.qsmoeu.com/<removed>/witer3.rar
zip.rwzuok.com/<removed>/witer3.rar
The downloaded malware is detected as PWS:Win32/OnLineGames.AH.
Stops service and deletes files

Trojan:Win32/Estiwir.A stop the following services:

EstRtwIFDrv
v3engine

The trojan deletes the <system folder>\drivers\EstRtw.sys. This file is related to the EstRtwIFDrv service.

These services are related to AhnLab security software and an ESTsoft Corp application. It likely stops these services to prevent detection.

The presence of this malware may stop AhnLab security software or ESTsoft Corp applications from working correctly.

Analysis by Ric Robielos

.